Getty Images/iStockphoto

How HITECH Recognized Security Practices Boost Healthcare Cybersecurity

The voluntary use of HITECH recognized security practices can help covered entities bolster their security postures and better protect themselves against top healthcare cybersecurity threats.

A 2021 amendment to the Health Information Technology for Economic and Clinical Health (HITECH) Act required the HHS Secretary to consider certain recognized security practices (RSPs) of covered entities and business associates when determining HIPAA Security Rule compliance and enforcement activities.

Essentially, the amendment incentivizes covered entities to implement healthcare cybersecurity best practices. Implementing RSPs is entirely voluntary, but evidence of implementation may be used as a mitigating factor in Office for Civil Rights (OCR) audits, investigations, and civil monetary penalty determinations in the aftermath of a data breach.

3 Categories of RSPs

When determining enforcement activities, the amendment specifically requires OCR to consider the RSPs that a regulated entity has had in place for the previous 12 months.

There are three categories of RSPs, Nick Heesters, senior advisor for cybersecurity at OCR explained in an informational video on the topic. Entities have the flexibility to choose which of the three categories to submit evidence for when they receive a data request from OCR.

The first RSP consists of the standards, best practices, and guidelines under section 2(c)(15) of the National Institute of Standards and Technology (NIST) Act, OCR explained. Entities that choose this RSP must implement security practices aligned with the NIST Cybersecurity Framework (CSF).

The NIST CSF is a highly comprehensive framework that can be applied to a variety of sectors, including healthcare. Each of the five core functions (identify, protect, detect, respond, and recover) consist of several categories and sub-categories that help organizations manage risk holistically and strategically.

The second RSP is based on Section 405(d) of the Cybersecurity Act of 2015. Entities choosing this RSP must implement the practices outlined in the “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients” (HICP) technical volumes. The HICP provides actionable security guidance for small and large organizations of all sizes and at varying resource levels.

The third category is simply titled “other” and may consist of different programs that address cybersecurity. Regulated entities that pick this path must choose a framework that is specifically recognized by a statute or regulation.

Benefits of Implementing RSPs

To Robert Booker, chief strategy officer at HITRUST, it is clear that there are many benefits to implementing RSPs.

“The HITECH Act really focused on this opportunity for organizations that are oftentimes victims of cybersecurity events and attacks to be incented to continue to invest in the right things around information security and cybersecurity expectations,” Booker said in an interview with HealthITSecurity.

“I think the Act as well as this recent guidance from OCR is very helpful.”

In the video, Heester stressed the fact that “RSP implementation is strictly voluntary – there is no penalty for non-participation.”

However, as Booker noted, there are many perks to implementing RSPs, the main one being that the use of any of these frameworks can bolster a covered entity’s overall security posture and further incentivize the work that healthcare organizations are already doing to prioritize cybersecurity.

In addition, OCR will consider the implementation of RSPs as a “mitigating factor” in Security rule audits and investigations, meaning that fines and other penalties may be reduced if organizations can show that they had RSPs in place for the previous 12 months.

“That concept of mitigating enforcement risk but also mitigating cyber threats together is important,” Booker stressed.

Booker encouraged healthcare entities to see the RSPs as an opportunity to bolster their security practices using modern frameworks like NIST CSF and HICP, which complement HIPAA compliance requirements. Reduced penalties aside, implementing RSPs can put organizations in a better position to combat cyber threats.

“My hope is that leaders in the industry will focus on this as an invitation to measure their programs in a new way and think about maturity measurement using more contemporary practices,” Booker said.

RSP Tips

In OCR’s video, Heesters provided tips and cleared up some remaining confusion surrounding RSPs. For example, Heesters noted that the HITECH amendment should not be interpreted as a safe harbor or immunity from liability for HIPAA Security Rule violations.

In addition, OCR clarified that covered entities seeking to have OCR consider the implementation of RSPs should ensure that they can demonstrate that they have implemented RSPs throughout the enterprise, from APIs to mobile devices and workstations.

“Merely having written recognized security practices, absent actual implementation of the practices is insufficient,” Heesters noted.

“Implementation means the practices have been disseminated to necessary workforce members, and the practices are actually being used by the entity. A binder of RSPs sitting on a bookshelf doesn’t demonstrate that they have been implemented.”

Maintaining IT asset inventories and keeping track of policies and procedures, project plans, meeting minutes, and vendor contracts may all prove useful in providing evidence of RSP implementation to OCR.

“First and foremost, it’s knowing that you can speak the language,” Booker said. “If you look at NIST CSF, you want to be able to speak about the risk and the control selections against risk in a clear way.”

Transparency and clear communication will likely go a long way in helping covered entities demonstrate to OCR that they have implemented RSPs.

“But in order to get to that level of transparency, you also need assurance. Assurance is really the validation, testing, and examination of the controls.”

Regulated entities can also use the HITRUST Assurance Program and HITRUST CSF framework, which is in alignment with the NIST CSF, to track the presence of key controls and provide evidence of RSPs. HITRUST said it is expecting it distribute additional materials in the future to help organizations document RSPs.

Although RSP implementation is voluntary, organizations that implement enhanced security controls and are able to demonstrate evidence of those controls will be better positioned to tackle cyber threats.

Next Steps

Dig Deeper on Cybersecurity strategies